Insider Threat

Ben Rothke writes "Thousands of computer security books have been published that deal with every conceivable security issue and technology. But Insider Threat is one of the first to deal with one of the most significant threats to an organizations, namely that of the trusted insider. The problem is that within information technology, many users have far too much access and trust than they should truly have." Read the rest of Ben's review. Insider Threat author Eric Cole and Sandra Ring pages 397 publisher Syngress rating 9 reviewer Ben Rothke ISBN 1597490482 summary Excellent overview of the insider threat to networks and information systems

The retail and gambling sectors have long understood the danger of the insider threat and have built their security frameworks to protect against both the insider and the outsider. Shoplifters are a huge bane to the retail industry, exceeded only by thefts from internal employees behind the registers. The cameras and guards in casinos are looking at both those in front of and behind the gambling tables. Casinos understand quite well that when an employee is spending 40 hours a week at their location dealing with hundreds of thousands of dollars; over time, they will learn where the vulnerabilities and weaknesses are. For a minority of these insiders, they will commit fraud, which is invariably much worse than any activity an outsider could alone carry out.

Insider Threat is mainly a book of real-life events that detail how the insider threat is a problem that affects every organization in every industry. In story after story, the book details how trusted employees will find weaknesses in systems in order to carry out financial or political attacks against their employers. It is the responsibility to the organization to ensure that their infrastructure is designed to detect these insiders and their systems resilient enough to defend against them. This is clearly not a trivial task.

The authors note that the crux of the problem is that many organizations tend to think that once they hire an employee or contractor, that the person is now part of a trusted group of dedicated and loyal employees. Given that many organizations don't perform background checks on their prospective employees, they are placing a significant level of trust in people they barely know. While the vast majority of employees can be trusted and are honest, the danger of the insider threat is that it is the proverbial bad apple that can take down the entire tree. The book details numerous stories of how a single bad employee has caused a company to go out of business.

Part of the problem with the insider threat is that since companies are oblivious to it, they do not have a framework in place to determine when it is happening, and to deal with it when it occurs. With that, when the insider attack does occur, which it invariably will, companies have to scramble to recover. Many times, they are simply unable to recover, as the book details in the cases of Omega Engineering and Barings Bank.

The premise of Insider Threat is that companies that don't have a proactive plan to deal with insider threats will ultimately be a victim of insider threats. The 10 chapters in the book expand on this and provide analysis to each scenario described.

Chapter 1 defines what exactly insider threats are and provides a number of ways to prevent insider threats. The authors note that there is no silver bullet solution or single thing that can be done to prevent and insider threat. The only way to do this is via a comprehensive program that must be developed within the framework of the information security group. Fortunately, all of these things are part of a basic information security program including fundamental topics like security awareness, separation and rotation of duties, least privilege to systems, logging and auditing, and more.

The irony of all of the solutions suggested in chapter one is that not a single one of them is rocket science. All of them are security 101 and don't require any sort of expensive software or hardware. Part of this bitter irony is that companies are oblivious to these insider threats and will spend huge amounts of money to protect against the proverbial evil hacker, being oblivious to the nefarious accounts receivable clerk in the back office that is draining the coffers.

One example the book provides is that many companies feel they are safe because they encrypt data. An excellent idea detailed in chapter two is to set up a sniffer and examine the traffic on the internal network to ensure that the data is indeed encrypted. The reliance on encryption will not work if it is not setup or configured correctly. The only way to know with certainty is to test it and see how it is transmitted over the wire. Many companies will be surprised that data that should be unreadable is being transmitted in the clear.

Some of the suggestions that authors propose will likely ruffle some feathers. Ideas such as restricting Internet, email, IM and web access to a limited number of users may sound absurd to some. But unless there is a compelling business need for a user to have these technologies, they should be prohibited. Not only will the insider threat threshold be lowered, productivity will likely increase also.

The author's also suggest prohibiting iPods or similar devices in a corporate environment. The same device that can store gigabytes of music can also be used to illicitly transfer gigabytes of corporate data.

Insider Threat provides verifiable stories from every industry and sector, be it commercial or government. The challenge of dealing with the insider threat is that it requires most organizations to completely rethink the way they relate to security. It is a challenge that many organizations would prefer to remain obvious to, given the uncomfortable nature of the insider threat. But given that the threats are only getting worse, ignoring them is inviting peril.

The only lacking of the book is that even though it provides a number of countermeasures and suggestions, they are someone scattered and written in an unstructured way. It is hoped that the authors will write a follow-up book that details a thorough methodology and framework for dealing with the insider threat.

Overall, Insider Threat is an important work that should be required reading for every information security professional and technology manager. The issue of the insider threat is real and only getter worse. Those that choose to ignore it are only inviting disaster. Those companies that will put office supplies and coffee under double-lock and key, while doing nothing to contain the insider threat are simply misguided and putting their organization at risk.

Insider Threat is a wake-up call that should revive anyone who doubts the insider threat.

Ben Rothke, CISSP is a New York City based security consultant and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben@rothke.com"

You can purchase Insider Threat from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Very true

[HangingChad]

The problem is that within information technology, many users have far too much access and trust than they should truly have.

Another problem I've seen is execs granting themselves and their assistants way more access than they really need to do their job. It's a power issue for some of them. I run the company and should be able to get to anything.

That's not every company and SOX has made thinking about the consequences more attractive for the higher ups.

Re:Very true

[DaHat]

There can often be a trickle down effect of that as well... resulting in nearly the entire company having too much access.

The company I work for for instance... EVERYONE has administrator rights to their desktop. Everyone from us lowly engineers in the back who bend our machines to their limits... up to the sales people who just use our proprietary apps (which do not require admin access) and Outlook.

Long ago, IT tried to restrict most users... unfortunately enough complained about not being able to do what they wanted (not always what they needed to do), and the policy was reversed.

This has of course enabled HR persons to install spyware that was suggested by a secretary.

I am still waiting for the day we have someone run a piece of malware who didn't know any better that brings the entire network, and most of it's users to their knees.

Re:Very true

[wiz31337]

Very true, some of the most knowledgeable people at a company are its administrative assistants. They sit in on meetings and soak up the knowledge, and they need access to many different files (or servers as the case often is) so they can update files, or post notes. They are not often the highest paid either, so if someone offers them a lot of money to get some information, they just may crack.

This book reminded me of another good read, "Art of Deception" by Kevin D. Mitnick. You would be surprised how easy it is to get information from people.

Re:Very true

[cli_man]

Something that I always found to be interesting while working as a contractor at different universities is that I have been routinly given higher access than the Dean's or the President of the university. Now I would never use the access for anything that I did not actually need to get the job done but that seems odd that that kind of access would be granted to a complete outsider of the system.

Re:Very true

[diersing]

"I am still waiting for the day we have someone run a piece of malware who didn't know any better that brings the entire network, and most of it's users to their knees."

Why wait, just schedule it the night you leave for vacation.

Re:Very true

[sammy+baby]

So, so true. I nearly got disciplined once for explaining to my boss that I wasn't going to give him root access on our Debian boxes.

Re:Very true

[shawn(at)fsu]

I dodn't know if thats such a bad thing all of the time. ESP if you work on the road or from home. A lot of the people at our company and IT company are pretty good with computers. If a machine breaks it's quicker and cheaper to be able to fix it right then and there rather than calling desktop support and having them charge you for the repairs. It's even better now that our help desk is outsourced to India. Not that thats bad but sometimes it's hard to understand. Granted the way our install images are set up some program are instlled that can not be removed even by the admin. Zoneaarm and our virus scanning software. So having admin rights on a desktop isn't as bad as say a server. Not all teh time anyway, as long as you don't decide "Oh Yes I want 10000 3d animated smillies, thanks for asking"

Re:Very true

[TWX]

"This book reminded me of another good read, Art of Deception by Kevin D. Mitnick. You would be surprised how easy it is to get information from people."

No, I wouldn't be surprised. I'm able to figure out any random user's password about 70% of the time just based on their pictures or other obvious habits. Couple that with organizations that give users full local computer administrator access (the bane of any kind of real security) and weak password schemes on remote systems and it's a wonder that there aren't MORE problems than there are.

I understand why some of the lackadasical policies on security have come to exist; IT departments not responding quickly to user requests for necessary changes in access causes users to fight for access, IT departments' annoyance with having to change user access on a frequent basis causes their own annoyance, and software that requires more access to install or use than should really be necessary all contribute to this problem. It also doesn't help that some of the many business-friendly devices like PDAs use the same conduits that tiny, insecure storage devices like USB Flash Memory use, so people wishing to steal data can do so with ease.

I do understand why company owners or upper management want to have the ability to have admin-level access; it's easier if they have to fire an IT administrator to be able to set up the account for a new IT adminsitrator, it's easier if they have to provide access to some kind of emergency after-hours IT consultant, and it's just good for the owner to have a key. The trouble is that too many owners decide to use such an account as their own personal account rather than to operate on restricted account and only log in as the SysOp when necessary. I've seen many neophyte Linux users operate as root 24/7, only to be compromised by a trojan, or much more common, break the computer themselves by mistake because they fumbled something that would have been trivial as a user, but catastrophic as root.

I can't remember the last time that I had to log in as root on my own box; I read logs and have basic hardware management set so my user account can handle it, but I rarely if ever have to change IP addresses or renew a DHCP lease by hand, reboot, or reconfigure anything. When I have to, sudo is my friend, so I don't even have to run a root shell unless I'm going to be spending so much time changing or editing that running a shell makes sense. I'd rather just not take the risk.

Re:Very true

[Hockers]

This book reminded me of another good read, "Art of Deception" by Kevin D. Mitnick. You would be surprised how easy it is to get information from people.

You mean you actually believed what you read in a book called the 'Art of Deception' describing how easy it is to con people ito believing things ?

Re:Very true

[udderly]

This book reminded me of another good read, "Art of Deception" by Kevin D. Mitnick. You would be surprised how easy it is to get information from people.

I was working for a large retailer about five years ago when I accidentally sent the wrong pricing file for a sign-making program to all 105 stores in our marketing area. So I needed to get into each store's computer via PC Anywhere and manually change the file. It went something like this:

Mgr or Asst. Mgr.: This is Mr./Mrs./Ms. Manager, how can I help you?

Me: Hi, I know that you don't know me but this is Joe from Advertising. I make up the signs and there's an error with next week's file that I need to fix.

Mgr or Asst. Mgr.: Oh, well we certainly don't need wrong information on our signs. What do you need me to do?

Me: Right click on Network Neighborhood, double-click the connection and read me your IP address.

Mgr or Asst. Mgr.: Okay, it's xxx.xxx.x.xxx

Me: Super. I will be in your computer changing some stuff for a few minutes so don't be alarmed if stuff starts happening on your screen.

Mgr or Asst. Mgr.: Okay, thanks.

The crazy thing about it is *not one person* in the 105 stores ever questioned whether I should have that information even though none of them knew me or could ascertain where I was calling from. Not even close--they all cheerfully did what I asked without hesitation. Scary!!

Re:Very true

If the Administrator restricts the rights of a user, the Boss, as long as nothing has happened will understand, that the Administrator distrusts the user-because the boss does not understand that he might be able to "only click on network folders which he sees" but that a malicious user in a trusted environment by escalation of right might very well see everythin not in principle denied to him.

So try the boss to convince that nice, productive and slimy Mr. Ben Dover who has often helped the Boss to do "magic" things on his computer and complained about the restrictive network policy of you hinders him in doing so......

Re:Very true

[sjwaste]

So, so true. I nearly got disciplined once for explaining to my boss that I wasn't going to give him root access on our Debian boxes.

And you should have been. You don't go "telling" your boss what he can or cannot have, he's your boss. If he tells you to do it, do it. It's then his liability.

Why are there so many IT people with zero interpersonal skills? Instead of flat out refusing, you could've simply explained why it wouldnt be a good idea. It's your job to present the facts, and you can even spin them in a persuasive way (its called politics, try it), but its his job to make the decisions, not yours.

Soft skills will only help your career. Present the facts, play the politics a little to sway the decisionmaker towards your side of things, but reserve being too firm unless it REALLY needs to be done. If he goes against your advice and the network falls apart, it isn't your fault.

Re:Very true

[LaCosaNostradamus]

What you're really saying is that the executives are the real weak point in the organization. Considering how much overall operational power they're granted, combined with an equally large level of a lack of oversight, you're close to realizing the real problem.

Re:Very true

[bobdehnhardt]

I had the rare opportunity of pulling our CEO's physical access to the data centers because he had no business need for it. He responded that he liked to take potential clients on tours of the facilities, and the data center part was very impressive to them. I countered that he could still do that (wince), but he and his party would have to be escorted; consider it an opportunity to point out to potential clients how serious we are about security. It worked - he's told me that he has received several comments about it, all good....

You have to couch things like this in ways that they can use to their (and the company's) advantage. "We're more secure" isn't a good enough answer.

Re:Very true

[lgw]

I've worked for large corporations for most of my adult life. I've always had admin access to myown machines, and I doubt I'de work at a company that thoight it was necessary to remove it. A network admin that can't keep the network usable, despite all the crazy shit users get up to, just isn't very good at his job, IMO.

This book (and especially Mitnik's book) points up the folly of infuritating password schemes where each user has 17 passowrds that are each changed on different schedules with different rules. That only decreases security, as a frustrated user is far more likely to cooperate with social engineering, calls to the helpdesk to reset passwords aren't even noteworthy, multiple failed password attempts are routine, etc.

Re:Very true

[Saint+Jimmy]

Well... you do need to take everything Kevin Mitnik says with a grain of salt. I respect him, bit I've heard some of the interviews he did on security on the Coast to Coast program over the last few years and let's just say it sounds like he exaggerates things just a bit.

Re:Very true

[Heembo]

Long ago, IT tried to restrict most users... unfortunately enough complained about not being able to do what they wanted (not always what they needed to do), and the policy was reversed.

So what? Each and every version of MS Office has codefied escalation to admin privledges at some points - even when running with a restricted user account. MS has acknowledged this problem. Running as a restricted user is only a small part of defense-in-depth.

Re:Very true

[khallow]

And you should have been. You don't go "telling" your boss what he can or cannot have, he's your boss. If he tells you to do it, do it. It's then his liability.

It's a tough call, but this could have had significant liability for the employee as well. Depending on the circumstances, this may have been a time to put the foot down.

Re:Very true

[DaHat]

So what? Each and every version of MS Office has codefied escalation to admin privledges at some points - even when running with a restricted user account.

Link?

Re:Very true

[TubeSteak]

I'm usually able to get people's passwords with a win2k installation cd, a floppy disk and my dvd of rainbow tables.

The two longest parts of the process are waiting for the win2k cd to boot, and loading the rainbow tables into RAM.

Re:Very true

[TubeSteak]

A good boss should be able to choke down his rage and look at what's being said objectively. Also, a lot of people don't feel the need to 'spin' things when they think the reasons are obvious.

Sometimes there are liability issues too. If that box is your responsibility and your boss fscks things up... guess what, it is still your responsibility.

Feel free to write a memo 'confirming' what the boss has put in place. This is standard ass-covering tactics if you are forced to do something you don't like. Oh and memos should always be in triplicate. Bureaucracy loves papers to be filed in triplicate.

Re:Very true

[TWX]

Yeah, but that's a lot more involved than just walking up the Director of Audit Service's desk, looking at the back of the photo of his daughter, and typing the name that was written down into the password field...

And the process that I describe and use really doesn't take any skill with a computer.

Re:Very true

[TWX]

"I've worked for large corporations for most of my adult life. I've always had admin access to myown machines, and I doubt I'de work at a company that thoight it was necessary to remove it. A network admin that can't keep the network usable, despite all the crazy shit users get up to, just isn't very good at his job, IMO."

When I was a student at the university I used the X-terminals that they had in the computing sites. I didn't have any access more than any one else who had userlevel access to the UNIX machines. The only perk that I had was that a teacher was willing to sign off on expanding my AFS account to the maximum 200MB size, so that I had room to store programs that I had compiled locally. I was able to use my own choice of windowmanager, productivity suite, and even things like IRC clients and web browsers without needing insanely high levels of access. Yeah, I did a lot of my own compiling, but only because it was an HP-UX machine, so there weren't precompiled binaries for some of what I wanted to do. If it had been a Sun box or a Linux box it would have been even easier.

Local administrator access isn't necessary if the computer allows users to install software at a user level rather than on a systemwide level. Since user software should all run in userland that should never have become an issue. Unfortunately Microsoft decided to do things different and we all pay the price for that.

Re:Very true

[inKubus]

Actually, what you are saying is a poor excuse. IT obviously does not have enough experienced people who know how to actually implement group policies (on whatever OS you use), design a security hierarchy, etc. Once you have a framework in place, it's really quite easy to grant exceptions.

I run a small server 2003/win xp network and it's really pretty easy to do anything you want. You can even choose a default list of bookmarks to put on a user's web browser.

One problem I have noticed is shitty web based applications that require admin access to run properly. A web app should NEVER need access to /WINDOWS or the registry. There are a few other apps that don't run nice unless you're administrator. In most cases, you can just figure out which files the app needs to have access to and chmod them to what they need to run.

I have run on both types of network, and I'm telling you, users do and should not run as administrator on your windows boxes. You are just making yourself a huge headache if you don't sit down and learn how to set up the network properly.

And, to be on topic, there are also extensive auditing functions built into every OS that enable you to track who opens what and when. Trust is important in a business environment but you must manage trust just as you manage risk. That means taking the risk of giving trust and rights and making sure that if they are misused you can hold people accountable.

From the Non-disclosure agreement they sign on their first day to the termination of their accounts on their last, you need a solid backed up record of every user's activity.

Re:Very true

[renoX]

The thing is: Windows doesn't work very well when you don't have administrator rights: once I had lots of trouble roaming from one point to another with my laptop, as it took numerous reboot to have the laptop find the servers.
Olny once I had the administrator password, I was able to connect succesfully.

As always, it's a conflict between ease of use and security..

Re:Very true

"I was working for a large retailer about five years ago when I accidentally sent the wrong pricing file for a sign-making program to all 105 stores in our marketing area. So I needed to get into each store's computer via PC Anywhere and manually change the file."

So, again, the problem was a dumb ignorant IT "professional" who didn't know better.

Re:Very true

[sammy+baby]

I'm sorry it took me so long to get back to this post, but now that I've discovered it, I can't help but respond. It is, by far, one of the silliest things I've ever read.

The truth is that some managers are simply incapable of grasping the technical intricacies of IT work. This was clearly the case here: my boss at the time heard me say "root access" once in relation to one of our servers, and said that he wanted the ability to perform root tasks. He didn't need that ability, wouldn't have known how to apply it if he'd had it, and I would no more have let him log in as root to that server (or, worse: given his own account root privileges, as was his initial order) any more than a surgeon would assist you to operate on your own spleen.

To allow him to do so would have been a failure in professionalism on my part. And were the network to have fallen apart due to my improperly giving him that level of access: there are times when it's better to let someone wind up with egg on their faces. This wasn't one of them. If I get disciplined, I get disciplined: if he hoses the network, we lose clients, and I'd have lost my job. Besides which, once he'd calmed down, he eventually realized that the access I had already given him gave him everything he needed or wanted.

Lastly, to leave you with an idea of the level of sophistication this user had: This same person wanted to show viewers the difference between various video-conferencing options, operating at a variety of bandwidths and compression levels. Specifically, he wanted to demonstrate "what uncompressed video looks like." Full screen, at NTSC resolution. At T1 bandwidth. In the year 1999.

When I explained to him that the resultant video stream would be impossibly large for the majority of home users, his response was to suggest compressing the video. What followed was a half-hour conversation - escalating into an argument - during which I futilely tried to explain to him that you can't show someone a compressed video stream and then say, "this is what uncompressed video looks like". When we eventually concluded, he immediately went to the head tech and made the same request of him. The head tech's verbatim response: "Are you fucking crazy?"

Re:Very true

[lgw]

I guess my point, more consicely, is "admin access is dangerous - I'd be foolish to trust my loser network admins with it". Of course, network admins say the same thing about users, but what do they know? ;)

Re:Very true

[Heembo]

I spent a great deal of time looking for a link with no luck. This was a "rumor" passed to me by someone whom I respeceted a great deal. I assume it's from the past, Win95 era, but am still looking to confirm that this is still the case.

Re:Very true

[sjwaste]

I dont disagree with your motives, I disagree with "telling" as I've often see IT people in this building "tell" people things. There's more diplomatic ways to handle the situation.

I don't think your boss should've had root in the context you described, and I do agree that he's unsophisticated given the portrait you've given.

My only disagreement, and probably why you almost got disciplined, was the way you implied you handled it. You'll likely never lose your job in IT for being unpolished, but you'll also have a harder time getting promoted very far (not impossible). I'm certain you could've accomplished what you set out to do w/o "telling" part of it. I'm not saying be indirect, but I've seen IT folks here "tell" people what they can and cannot do. It only builds resentment.. not because you're not giving them what they want, but because you delivered it the wrong way.

Again, I'm not saying your desired result was incorrect. I wouldn't have given him access either.

Agreed

[dilute]

I thought of hiding my root password from myself

Re:Agreed

I thought of hiding my root password from myself

But I bet you found it again, taped under your keyboard.

Re:Agreed

[TWX]

I tape it under my mouse to be secure through being more obscure. Unfortunately since I've been using a GUI on the box, the ink got smudged since I wrote it down a year ago.

Re:Agreed

I've worked in a shop where we literally did this. A cronjob fired from root's crontab each hour, read 12 characters from /dev/urandom, selected ones in the valid ascii range and changed the password to the string that resulted.

When we needed to login as root, we went through multi-factor authentication to get to a trusted host, which then allowed us to use ssh keys to login as root anywhere we needed. Further we used a workalike to sudo which allowed us to login under most circumstances as unprivileged users and execute things as root.

For the really rare times we actually had to login as root (all of which centered around rebooting anyhow), we'd simply boot into single user, change the root password to monthly rotated acceptably strong password, do our thing and then in an hour or less the password was re-randomized.

Re:Agreed

[haralder]

I don't know my root password, I use sudo instead.

Too much access and trust..

[kimmo]

Some have, some don't.

Usually those not in need of all their acess rights do have them for some reason. Those that would really need them have to go through the pain to fill forms and stuff..

Too much trust...

[RandoX]

I've experienced working at a place where an employee walked out with information (and was subsequently sued into oblivion). Afterwards, all computers were locked down to the point where it made it nearly impossible to get any work done. Ever try to troubleshoot a data issue when you have to get your supervisor to log you into the database server every time? It can be hard to find a happy medium.

Re:Too much trust...

[Spy+der+Mann]

Afterwards, all computers were locked down to the point where it made it nearly impossible to get any work done. Ever try to troubleshoot a data issue when you have to get your supervisor to log you into the database server every time?

Let's call that the "post-9/11 effect".

Re:Too much trust...

[Dan667]

Having just spent the last two days trying to make a maintenance agreement software purchase (that I have made without problem for the last 4 years), and still have not been able to because I am no longer trusted. I would say it is very very difficult to get this right, especially since I have root passwords to more than a dozen systems.

I can only guess their reasoning is that I need to be trusted to do the work, I should have all the access I need to do the work, but should have no actual work to do.

Re:Too much trust...

[diersing]

And how does having root correlate to having authority to spend the companies' money?

Its VERY common to seperate the administrative tasks of purchasing and renewing maintenance agreements away from engineering.

Re:Too much trust...

[Dan667]

If a person is trusted to make changes in a company that greatly affect the bottom line and they are wanting to make purchases in their area of expertise that facilitate their and the companies success, they should have the authority to spend the companies money. I have no problem with a check and balance system, but several VP's have already signed off on this. They see the financial big picture, so convincing some administrator who has no expertise and does not have access to the financial big picture is a waste of resources. Sad really.

another book...

[sammy+baby]

Another recent book on the same topic: Extrusion Detection: Security Monitoring for Internal Intrusions . Haven't read it yet, but looks interesting.

(Although when I read the title, I kept thinking of detecting things that are extruded. WARNING! SILLY PUTTY FUN FACTORY DETECTED.)

I hate books like this

[UndyingShadow]

I hate books like this. Management reads stuff like this and starts making it difficult for employees to get any work done. Worse yet is if they start trying to take away the IT department's power. In every environment I've ever worked in, I've EARNED the trust of my fellow geeks and been given access gradually. I dont abuse it. A good IT department never fully trusts anyone. I never fully expect to be trusted. These kinds of books just complicate that delicate geek balance.

Re:I hate books like this

Amen!

In our organization, one person in a position of medium influence took a security course (that went to their head) and as a result, rights were so restricted that people could not do their jobs. Higher level rights could only be granted by people that were not on call or always available. This means that we could find ourselves in a situation where something needs to be fixed RIGHT NOW and people who know how to do it cannot respond and the people who can grant rights cannot be reached. This is serious. (Healthcare; Hospitals; Emergency wards; including medical imaging). Luckily we haven't been bitten so far.... ..Sigh..

Re:I hate books like this

[alienmole]

Management reads stuff like this

You have management that reads???

The only point I would disagree..

[IAAP]

is that I would want access in case, for whatever reason, I had to throw the admin out the door and get someone else to his job.

Re:The only point I would disagree..

[legirons]

"I would want access in case, for whatever reason"

That's far too sensible. What's supposed to happen is, you find out that some vital system is broken and the two people who have passwords necessary to fix it are on holiday or at a conference.

Even better if it's something like desktop OS or firewall upgrades needing authorisation, when a new virus comes out.

Re:The only point I would disagree..

[turbidostato]

"What's supposed to happen is, you find out that some vital system is broken and the two people who have passwords necessary to fix it are on holiday or at a conference."

You put blame on whoever drawed the policy or whoever didn't comply with it. If it is such a sensible resource how the heck is that there's no way to recall it at any moment?

You can ask "what if the two knowing the password are out of office?" just the same you can ask "what if both pilot and copilot become intoxicated over Atlantic?" Both cases the answer is the same: "that won't happen: policy forbides it".

All this is quite well and good, but seems to forget the number one rule regarding security: you won't push more efforts protecting it than its own value.

There will be circumnstances where the resource to be secured truly deserves the expenditure (and if broken, there should be a proffesional reputation at stake, if not even civil or penal responsilities); there are much more cases that despite the "hear, hear" voices, the overload "high level" security imposes really doesn't pay (as ie. credit card fraud protecting people knows just too well).

Do you want that trust?

[P3NIS_CLEAVER]

A good security policy protects admnistrators too... if something happens you will be less likely to get blamed for something you didn't do.

woo,...

[User+956]

The problem is that within information technology, many users have far too much access and trust than they should truly have.

Yes, which is why we "need" Trusted Computing(tm) which will solve all of our problems.

Of course

Think about AOL. There were and are tons of external threats and intrusions in their systems. But who makes headlines? The contractor who had access to the big database o' screennames.

Security 101 indeed.

Re:Of course

[TubeSteak]

Actually, last time I checked, it was an employee who did the deed.

http://www.thesmokinggun.com/archive/0623042aol1.h tml

An AOL software engineer was arrested today for stealing the company's entire subscriber list--totaling 92 million screen names--and selling it to a 21-year-old Las Vegas spammer. According to the below federal criminal complaint, Jason Smathers, 24, last year illegally accessed the highly confidential AOL list by using another employee's identification codes. Smathers, who worked in AOL's Dulles, Virginia office, then allegedly sold the list to Sean Dunaway

Oblivious to the problem, or resigned to it?

[Control+Group]

This sounds bogus to me.

I doubt many companies are "oblivious" to the insider threat, it's just considered an acceptable cost of doing business. For example, a grocery store I used to work at knew perfectly well that their employees were lifting candy from the bulk candy dispenser (to pick an example). But they also knew the money they lost on that was significantly less than the cost of installing cameras and paying someone to review the tapes, or than the cost in lost sales of eliminating the bulk candy dispenser. So, when someone was caught red-handed, they were read the riot act (at least) or outright fired (at worst), but no special effort was made to catch people.

I don't think the owners of that grocery store were business prodigies, either. My guess is that the same sort of logic applies to most employers: the cost of preventing the infraction is higher than the cost of allowing it. The truth of this is reflected in which industries do protect themselves against the "insider threat": places like casinos, where a successfully criminal insider could lose them huge quantities of money.

Meanwhile, the book seems to make the same suggestion a lot of security experts do: if a user doesn't need the technology, then don't let them use it. This sounds good, but it carries costs, too. First, of course, the cost of setting up and maintaining a network that enforces such policies. But second, the cost in employee morale, which cannot be discounted. Another job I had not all that long ago was in an office that didn't allow its employees to listen to talk radio. Music was fine, but talk radio was too much of a distraction. Since you didn't need it to do your job, you weren't allowed to have it.

The effect on morale was, to put it mildly, negative. Honestly, it's one of the reasons I didn't have the job for very long. Email and internet access are similar: employees have become accustomed, rightly or wrongly, to some personal use of these technologies. Take that away, and you're sure to end up with disgruntled employees, no matter how rational your reasons.

Moreover, it's a question of trust. If you demonstrate to all your employees that you don't trust them, odds are good you'll increase the number of employees who will live up (or down, if you prefer) to your expectation. At best, you'll incur the costs associated with high turnover rates. At worst, you'll fall victim to even more pernicious crime than you otherwise might have.

I guess the point is, it's not necessarily ignorance or even apathy that causes businesses to be vulnerable to insiders, it's simple cost/benefit analysis.

Re:Oblivious to the problem, or resigned to it?

[Debiant]

I somewhat disagree. I think companies don't think all the fault point throughout. Sure, if you have above mentioned business, it maybe hard to ignore certain kind of losses if they come regularly. Not sure it is many times a calculated risk, but more acceptance that it doesn't matter as you can't do anything and risks are obvious.

The big risk obviously lies in things some organization haven't throughout thought or haven't yet experienced but aren't less real.

But I do agree fully that 'denie everything if it is not accepted' is not necessary a good idea. It may have justification in some places, but in many workplaces it just costs more than it saves and causes huge annoyance.

Lot of organization have to rely on trust in the end. If you don't trust people working for you, then should you hire them at all then in the first place?

Re:Oblivious to the problem, or resigned to it?

[NeutronCowboy]

In short, treat your employees like you would want them to treat you, and you'll be better off. I know this definitely applies to me. If my boss doesn't trust me and makes my life difficult because of that, I not only will not trust him, but will also make sure that something balances out the bad work atmosphere.

You don't want me to do some personal emailing from the work account? Fine, I'll make sure that I work exactly 8 hours a day, so that I get to have enough time to email from home. You expect me to do my work without having admin access to my machine? Be ready for a flood of requests to the IT department, and me waiting for the IT department to do the work for me. You time my bathroom breaks? Be ready for me to time my lunch breaks and bath room breaks as well - regardless of whether there's a fire somewhere or not.

The problem with enforcing rules is that you run the risk of drowning in them. Give your employees some leeway in interpreting them, and the majority will repay you with loyalty and good work. Those who don't - feel free to fire them. This isn't France or Germany where firing someone can sink your company.

Re:Oblivious to the problem, or resigned to it?

[cyanline]

While I agree that too much control on the employees is demoralizing, there are a few significant incidents where employees (contractors, guest workers, business partner employees... you get the idea) have caused damage to an organization or the people they serve. For example, employees at the IRS gaining unauthorized access to tax records. Currently it seems unworkable to properly restrict employees ability to cause digital damage and allow them to do their job. what can we do? I recommend improved internal logging along with increased awareness. Let employees know that their actions can be monitored. And, let's help make employers aware that data is important and needs to be protected.

Re:Oblivious to the problem, or resigned to it?

[gcatullus]

Having just read the review, I think the book agrees that security is a cost/benefit analysis, but that many companies screw up the analysis. They will throw good money after bad for external threats, but not secure themselves from internal ones. To pull another example from retail - our cashiers have "drive-offs", where someone does not pay for the gasoline they purchased and drives offs. There are only three possible ways for this to happen, the customer paid a cashier who either forgot to ring in teh sale or pocketed it herself, the customer intended to steal the gasoline, or the customer thought he paid for the gasoline, but his card was declined, swiped backwards, etc. You need to watch the video of the cashier as well as the customer. No one should be accused of anything until there is conclusive evidence, but at the same time no one should automatically be "trusted".

At a loss prevention seminar I heard something that made sense to me. 15% of people will never steal anything for any reason, no matter what. 10% of people will steal compulsively, no matter the consequences. But the other 75% will steal if 3 conditions are present. A) Is that they have a need, real or perceived, i.e. family is starving, feed a drug habit, they think their boss is a prick, etc. B) Is that they have the oppourtunity, i.e. access to money, supplies, information, etc. and C) That they feel they won't get caught, or that there are very little consequences if they do get caught.

Now if you go around actively thinking all your employees are thieves, or if you get rid of all email access, or get rid of all outside telephone access so that employees can't "steal" time while on personal calls - YOU are creating one part of the "thief" equation. At the other end of the spectrum, let it be known that you trust every employee implicitly and that whatever expense they want to submit, they clearly must have a valid business reason for, so it will be reimbursed no questions asked. Well, that is just creating another part of the "thief" equation in that there are no consequences or even chance of getting caught.

Paranoia the destroyer, and it goes like this...

[digitaldc]

"But Insider Threat is one of the first to deal with one of the most significant threats to an organizations, namely that of the trusted insider. The problem is that within information technology, many users have far too much access and trust than they should truly have."

These guys are right, but how am I supposed to trust them?

Did the Submitter Even Read the Book?

[ahsile]

He says there's 10 chapters, but I only see two mentioned in the summary... and not even a suggestion of what may be in the other eight.

whatever...

[revery]

This book is total crap and their conclusions about trusted insiders are all wrong. I know this because a friend of mine who worked at the publishing house leaked me a copy a few months early...

never mind

Re:Paranoia the destroyer, and it goes like this..

[Control+Group]

Fear is the mind-killer. Fear is the little-death that brings total obliteration.

The problem with locking everything down...

The real problem with not giving much trust to insiders is that then you're left with a situation where you're trying to do your job but you run into a problem of lack of access. One of the two people who can give you access is on vacation. The other one is in meetings all day. You're stuck playing minesweeper instead of doing real work. I can't tell you how many times I've run into this type of situation, and it kills productivity.

Save FOUR BUCKS!

Save yourself about FOUR BUCKS by buying the book here: Inside Threat. And if you use the "secret" A9.com discount, you can save an extra 1.57%!

they have no idea!

[firesuite]

Ive worked as a tech for 3 different companies since i moved over here to the states 2 years ago and in ev ery single company the CEO has his logon password on a post it note or equivalent and stuck to his monitor.. now thats secure! not saying its an american thing so please dont flame me :P im sure it happens worldwide.. maybe Gates does the same thing.. haha

Re:they have no idea!

[Bloke+down+the+pub]

Re: Bill Gates, I doubt it: you don't ned the password to get into an M$ system anyway.

Re:they have no idea!

[FriedTurkey]

It was probably caused by some crazy password policy that makes remembering the password impossible.

1. Requiring special characters
2. Requiring a lower case and a upper case letter
3. Changing passwords every 30 days
4. No common words

This all leads to lower security with a post it note.

Re:they have no idea!

[thaerin]

Ah, but wise is the IT staff who knows the level of intelligence, or lack thereof, of the average CEO and adjusts their access accordingly. Around here, even if you got hold of a VP's password, the biggest thing you could do would be to send a company-wide e-mail saying "OMFG j00 all sux0rz!".

Re:they have no idea!

Same here, I'm the one who writes the post-it notes...:(

Re:they have no idea!

Or it could be a trap. Or am I the only one who plants bogus usernames and passwords to see if anyone attempts to use them?

Re:they have no idea!

[BVis]

Which part of that policy is impossible?

Anyone with an IQ over room temperature can memorize a sequence of 8 alphanumeric characters.

If they can't, they shouldn't be working for you. Period.
Same for writing it down - it should be a terminable offense.

Re:they have no idea!

[Prophet+of+Nixon]

When in an environment that demands those crazy passwords, the trick is not to use phrases/etc, but to use physical patterns on the keyboard. On, say, a 10 character crazy password, I'll have 5 keys pressed without shift pressed, in a pattern, being sure that at least one bit of the pattern crosses the number keys. Then I press shift and do another pattern, again hitting the number (now symbol) keys, to get my capitals and symbols.

All I have to remember is where to start and the pattern (which is easy). I don't have the actual password string in memory.

Re:they have no idea!

[FriedTurkey]

Anyone with an IQ over room temperature can memorize a sequence of 8 alphanumeric characters.

They shouldn't have to. What are the chances of an intruder getting a password from a brute force attack over a post it note?

Re:they have no idea!

[drinkypoo]

I have serious problems with memorization. However, I am fairly bright. I learned crystal reports in a week (not a master, but enough to do about anything I need to do here) and I taught myself enough ECMAscript to do the client and server-side stuff for a bunch of fun stupid web tricks in a week. But, I cannot memorize anything without using it. I cannot memorize a password simply by reading and rereading it. Consequently, I write it down, and put it in my wallet. I have not lost my wallet since I was about 16. (Granted, that was only 12 years ago and change...) Once I have learned the password, I burn the paper. Writing the password down is an integral part of my password-memorizing experience, and you are an unrealistic, intolerant so-and-so.

Re:they have no idea!

[cyber-dragon.net]

I worked as a network security consultant for a overall security firm a while back and I will never forget a bank we were hired to test.

One of our guys was able to bully his way into the presidents office by wearing a suit and acting beligirent, grabbed this password off his monitor sticky note (actualy I think it was on the top of his keyboard if I remember right) and we had full access.

First off, the president should not HAVE full access. He does not need it. He needs email, word, powerpoint and a special password to approve transactions. Second, knowing the power that password has he should NEVER write it down. As a network admin I would probably be tempted to physicaly slap him if I saw that.

Just an example of why people should be limited to what they need to do. Human error is inevitably the biggest security flaw that exists in any system.

Re:they have no idea!

[TubeSteak]

I was at a mall a few days ago, standing on the 2nd floor.

I was at the railing overlooking the 'center' of the mall. By coincidence, the security desk was directly below me... I watched the security guy type in his password.

So much for strong password policy.

Re:they have no idea!

[BVis]

and you are an unrealistic, intolerant so-and-so.

We're talking about security, not "and how does that make you feel". As intolerance increases, so does security. Would you rather your password policy be something like "Ah, that's close enough, come on in"?
Computer security in general is dangerously bad, damn right we should be intolerant.

Re:they have no idea!

[emarkp]

Remembering 1 password is no problem. The trouble is, I have over 10 passwords. And some of them force me to change them once in a while.

That's the problem.

Re:they have no idea!

[BVis]

That's the problem.

No, the problem is that you're complaining about your passwords changing. Get the fuck over it.

Plenty of material on this...

[marcantonio]

But Insider Threat is one of the first to deal with one of the most significant threats to an organizations, namely that of the trusted insider.

This subject has been discussed in countless basic, and not so basic, security publications. Not that it isn't a real problem, but this is hardly ground breaking.

From a healthcare perspective

[PIPBoy3000]

I work in healthcare and one of my roles is to help in auditing.

The main issue is that most people can look at any patient. This is considered a "necessary evil" as sometimes unexpected clinicians might be looking at a patient's information and we don't want to block access in a life threatening situation. Instead, we review access after the fact, in addition to putting certain blocks in place:

• Unusual access is audited. This includes people looking at patients who happen to be employees, specific audits of local celebrities, and so on.
• Random audits. Periodically, someone will check to see what a random person is doing.
• Probation. New users are audited at certain points, to make sure they're not abusing their new power.
• Hiding patients Certain patients are hidden from most users - this might include celebrities, legal issues, or patients who have requested it.

I see trust as a necessary part of functioning within an organization, though trust must be tempered with watchfulness. I'm a big fan of letting people do what they want, and then "break their kneecaps" if they abuse that trust. In real terms, this means prosecution and the like. Of course, I don't decide such things - that gets passed on to our legal department and I try not to follow up after that.

Re:From a healthcare perspective

[Bloke+down+the+pub]

Apart from the fact that the 4th bullet point contradicts "we don't want to block access in a life threatening situation", that all looks pretty sensible. So sensible, in fact that it's only a matter of time before someone tries to implement it to the letter - in a company that sells paper.

Re:From a healthcare perspective

[PIPBoy3000]

The key for bullet point #4 is "most users". So, if a celebrity is coming in for a particular procedure and doesn't want it known, we can secure access to a handful of users. Of course, if a physician doesn't have access and has a need to get it, security can be granted in a matter of minutes.

Re:From a healthcare perspective

A matter of minutes is more than enough time to die.

Executive Assistants...

[leather_helmet]

We had a situation where the CEO's assistant was giving his private emails to a former employee with whom she was having a 'relationshp'
What she basically did was 'backup' his outlook email to a PST and then burn the PST files to DVD-R

The IT fellow caught her in the act of 'backing up' our boss' email when he was away
She was caught and admitted to her wrong-doings
Supposedly legal action was going to be taken, but I changed jobs in the meantime

I just offerdd the Boss

[TheDoctorWho]

We may have had a bit of corruption with a major Word Doc from a specific user who likes to change her themes with any theme she can d/l, this time it was Holiday stuff. Not too mention numerous search bars, smiley faces, and other garbage. Anyway, either that caused an issue with her PC or it was simply user error on her part that ruined the document. I go with user error.

But I did offer to turn off the ability of users to install programs, but the boss said no, too big brotherish. Of which I replied, you lose time fixing things and re-doing things cause of breaks such as this.

Well, they can still load what they want, so like someone else said below/above, it's all power play, and then I have to fix it when they break it.

For corporations...

Trust no one.

record absolutely everything

[SpaceKow]

With all the large hard drives we have today, we should record video of every keyboard induced update.

Re:record absolutely everything

[Abstract_Me]

This doesn't just take harddrive space though, it also takes cpu cycles which for a lot of companies are maxed out on their database systems.

"too much access ... than they should ... have"

[Caspian]

The editors have too little grasp on English than they should have.

Re:"too much access ... than they should ... have"

[GISGEOLOGYGEEK]

As do you apparently. Try: .... too litle OF A grasp on ....

Faulty Logic...

[kurbchekt]

"Thousands of computer security books have been published that deal with every conceivable security issue and technology." If that were the case, wouldn't there not be any security issues?

TRUST NO ONE

[mary_will_grow]

The problem is that within information technology, many users have far too much access and trust than they should truly have.

God I'd hate to live in the world you would create.

Re:TRUST NO ONE

[ScentCone]

The problem is that within information technology, many users have far too much access and trust than they should truly have.

>>God I'd hate to live in the world you would create.

Here's an idea. Start up company... say, retail, perhaps. Make sure that the data used in managing that business involves personnel records, credit card data, health insurance policies, bank info - all the usual stuff. And then hire a bunch of people, trusting all of them entirely to have access to everything. Let us know when you start your total trust campaign, and then let us know how many days (hours? minutes?) go by before something that absolutely should not be in someone's hands none the less is. Be sure that your own personal SSN and direct deposit information is out there floating around without any ACL protection, too, OK? And don't forget to put your backups on CD, and leave put them in a file cabinet in the lobby, labeled "historical payroll data."

Man, I'd hate to trust my information with a business you'd run.

Re:TRUST NO ONE

[legirons]

"God I'd hate to live in the world you would create."

Indeed. Who needs to do a google search for their programming problems anyway, when you could just spend 3 weeks trying to solve it by yourself?

Re:TRUST NO ONE

[drinkypoo]

We're talking about running a business here. People who don't need access to information shouldn't have access to information. It's called minimum necessary rights, and it's a basic tenet of security. If you grant all the capabilities you expect to need, and nothing else, then you wipe out a lot of potential attacks right off the bat without even knowing what they are.

This has the added bonus that someone who sits down at someone else's desk has limited access. Without managing rights, someone unauthorized can get access to everything from anyone's computer, even the janitor's. Since more and more organizations are using a computerized trouble ticket system for everything from purchasing to janitorial, this is an entirely reasonable example.

Huh?

[TWX]

I'm trying to figure out if you're attempting to be sarcastic in places or not, but I'm still not quite sure.

The keys need to be held by only a small group of people. "Too many cooks spoil the soup" applies very well to a corporate network, even down to the workstation configuration. It's possible to screw up the whole enchilada from that point too, ore at least have some major negative effect, and it's much better that if the intent is for it to be a managed network for it to be managed, dammit. If not, it's a free-for-all.

Many of my users are very smart people. Unfortunately, they're good only with their own home PCs. They don't understand why we don't always do things the same way that they themselves do them, nor will they until they come to appreciate the demands that present themselves in trying to keep a 30,000 computer network up and functioning for everyone despite their different needs. Where I work, our network is supported by ten field and bench technicians, two data cabling technicians, two telephone system technicians, and four helpdesk persons as far as interface-with-the-user support is concerned. Our back end is four network engineers, four software specialists, one AS/400 administrator, two Computer Operators, and a slew of programmers to write the software that the users will do their jobs with. It's a very, very small department given the size of the organization, and if we had better, tighter control over the security of the workstations it'd be a much easier job.

Re:Huh?

[shawn(at)fsu]

I wasn't trying to be sarcastic at all. Our company employees over 100,000 people, and while we have a good desktop support unit it is sometimes impractical to rely on them all the time for everything. I worked on the dektop support team for a time and we felt it was better to educate the users and make them self reliant. We never had email go down do to a user error nor has or network gone down do to a user installing bad software but it was nice being able to work on the important issues (server migration, backup restores) and not get interupted by can you install X on my computer.

Re:Huh?

[dgatwood]

There are two methods of IT:

1. Tight control. In this method, the IT people keep the users from doing anything to break or fix the systems.
2. Hands off. In this method, the IT people say "fix it yourself".

In my opinion the first one rarely works for very long.

IT administrators should tell new employees from the very beginning that they will maintain the network, period. If somebody screws up their machine, the IT folks might help the user figure out how to fix it, but the person should have to do the actual work him/herself. This encourages people to take responsibility for their actions, which leads to people actually taking care of their work machines. That was the policy at my former employer (though they did help the marketing folks a bit). It's also the policy of my current employer. From what I have seen, it has worked extremely well.

Putting in a paranoid policy like not giving users admin rights to their own workstations only coddles the users and lulls them into a false sense of security. After all, the IT department is protecting them from breaking anything, so no matter what they do, if the software lets them, it must be safe. It leads to people doing utterly stupid things that they would never do with their own machines---precisely because on their own machines, they would have to fix it if they break it.

As for the premise that users will screw things up if they have any control, my experience has been exactly the opposite. I find that software lock-downs tend to be buggy and cause more problems than they solve. I've seen university computer labs run in a paranoid style and university labs with nearly identical machines run with an open policy. The paranoid lab constantly experienced weird crashes and generally unusable systems. The "do what you want" lab, to my knowledge, hasn't had any non-hardware-related service calls since I helped set it up in 1996.

It is my experience that trusting people until they prove to be idiots is always the best policy. If you trust someone and they betray your trust, you will never trust them again, and they know this. Thus, trusting someone tends to inspire trustworthy behavior. By contrast, paranoid information hiding, control hoarding, and other such authoritarian behavior tends to breed suspicion and contempt, which tends to lead to untrustworthy behavior.

For example, companies that tend to closely guard their secrets within the company, only providing information to people with a "need to know" tend to have much higher leak rates than companies that are open and trusting of their employees. This boils down to basic psychology. Secrecy breeds a feeling of power---that excitement over knowing something that no one else knows---and the only way to exercise that power is by proving to others that you do, in fact, know something that they don't know, which can only be done by leaking information. If you can share that information within the company, most people do so out of loyalty to the company. If you can't, the destination of the leaked information tends to be the press.

This isn't to say that monitoring for improper behavior isn't useful. It is always a good thing to find out quickly when someone is betraying your trust, allowing you to take immediate corrective action. In the field of IT, for example, you should have the ability to detect suspicious network activity, break-in attempts, etc. Centralized system logging can also be useful in this regard. However, if you trust people until they show reason not to do so, the vast majority of people will behave appropriately. If you distrust people until they earn your trust, the majority of people will do everything they can to work around you and subvert your control. That is not a healthy work environment.

Personally, I've always said that the best way to stop press leaks from a company is to create a competing rumor site, see who submits information to it, and take corrective action. Introduce a situation where an une

Re:Huh?

[Saint+Jimmy]

I definitly agree that the majority of a company needs restricted access. At the company I work at, the IT desk allowed me full adminstrative rights on my laptop while on the company network and I proptly brought down the network three times in one week due to "expirementation" with my computer. Even people who are totally compentent with computers should have restricted access unless they are IT staff. Actually, non-IT geeks should probably have even more restricted access due to our tendency to push our computers to the limits.

Not that I enjoy having my access limited...

Re:Huh?

[drinkypoo]

IT administrators should tell new employees from the very beginning that they will maintain the network, period. If somebody screws up their machine, the IT folks might help the user figure out how to fix it, but the person should have to do the actual work him/herself.

So what happens if they can't fix it? Do you just fire them, reload their computer, and hire the next guy?

What makes the most sense to me is to store all a user's data on the network, forcing them to do so if at all possible but at minimum making it easy to do so, and have a system image for each PC in your organization. If they scrag their computer somehow, then you can just reload from the image and move on with your life.

Re:Huh?

[dgatwood]

Very much agreed except for the forcing part. If you make it easy enough, you shouldn't need to force them, and if you find yourself needing to force them, something is wrong.

Re:WTF?

You obviously loved Lou Rawls.

Love is a hurtin' thing.

OH, joy. Another anti-IT witch-hunting book. Yay!

[crazyphilman]

Here we go again. Yet another book claiming that companies can't trust their employees, as if we're all crooked and evil (and not merely underpaid and mistreated, but that's another story). ANOTHER book justifying management treating us like shit. ANOTHER book telling the bosses what they want to hear. Hooray. And it's in a book so It Must Be True.

Meanwhile, over here IN REAL LIFE, people like me are running a company's entire business, with full access to everything, and yet, we don't break the law! We don't even BEND the law. How can we explain this bizarre paradox? Because if our collective bosses were to admit that their IT staff possesses PROFESSIONAL PRIDE, and MORALS, and A DESIRE TO DO THE RIGHT THING ALL THE TIME, NOT JUST WHEN IT'S GOOD FOR BUSINESS, well, that'd just be chaos! I mean, our whole society would fall apart if we admitted something like that!

What to do, what to do... The book says we're evil, common sense says we're not... What's a manager to do?

Oh! I know! Follow the book! That was easy...

Wargames

No, then you wouldn't get in. Just change the password every week and hide it in the top drawer of the computer in a quite public place. It worked for the administrators at Snohomish High School in Wargames, so it will work for you too.

Too much lockdown costs money too

[FriedTurkey]

I can't tell you how many times I have sat there doing nothing but billing a client because I didn't have security to a system. There is always just one guy who can give you access and he is on vacation. I can't tell you how many times I wasn't able to fix a production system because we needed some DBA to run some SQL script I wrote to fix the system. It's not like the DBA even looks at the scripts. I could've stuck in a statement to delete all the tables and he wouldn't have known. My last client had to give you MAC address to Server name security access. My motherboard fried so my MAC address changed. Of course server guy is on vacation. Eight hours X $150\hr = where is the savings? I know the majority of /. is UNIX/NT admin guys and not programmers so I probably won't get anybody to understand. It's safer for the admin guy's job to lock your system down then worry about development costs. If management really knew the additional software costs, developers wouldn't be locked down. Often it seems the admin guys have some kind of power trip with access. Am I really more of a security threat than the admin guy with lots of Lord of the Rings crap all over his cube?

Re:Too much lockdown costs money too

[Bastard+of+Subhumani]

There is always just one guy who can give you access and he is on vacation.

That's just crap management - there should always be a deputy. Not that I'm denying what you said, because it's happened to me - urgent production fix needed migrating, Fred does that, Fred's off for three weeks.

I find that if one of the directors gets involved (sepecially if the company's losing money) they suddenly find that there's someone else who can do it, after all.

Re:Too much lockdown costs money too

[Feyr]

sysadmin here, but i tend to agree with you.

most of our developpers have full access to all the databases they need.
they also have a bit more access than they really should have, usually because they're debugging something which requires it. most of the time it's not a huge problem,

but sometimes it can come back to bite your ass. recently, one service crashed. and none of the admins were there to fix it. one of our brillant developper (which also happen to be a manager) decided he'd "fix" it himself, and he ended up turning what would have been a 5 minutes fix into a 3 hours outage for 4000 customers, if he had just waiting 10 more minutes. he doesn't have access anymore.

just saying, security is always a risk balance. him having extra access was a acceptable risk for what he was doing. by crashing the server he shifted the balance the other way and we revised it accordingly. there's no one-size-fit-all security, it must adapt to changing situations

Re:Too much lockdown costs money too

[FriedTurkey]

one of our brillant developper (which also happen to be a manager) decided he'd "fix" it himself, and he ended up turning what would have been a 5 minutes fix into a 3 hours outage for 4000 customers, if he had just waiting 10 more minutes. he doesn't have access anymore.

I have seen that before. You got know your limits. I am often given sysadmin privledges to an Oracle database. If I see any kind of wierd Oracle error I don't even try to play with it. That's the DBA's problem.

Re:Too much lockdown costs money too

[NeutronCowboy]

The problem really isn't the IT Admin. Largely, they implement rules handed down to them by management. In your case (and I have first hand experience of your problem as well), the problem is far more likely to reside with management, who are unable to do a cost-benefit analyis of a given situation. How much could it cost to give you access versus how much does it cost not to give you access? Personally, I try to make this as crystal clear as possible to management, and sometimes, I get through. Sometimes though, I don't. And then I sit on my hands and post to Slashdot.

Re:Too much lockdown costs money too

[6Yankee]

And then I sit on my hands and post to Slashdot.

Now that's a clever trick...

BS

[nurb432]

'IT' needs access to do its job. We need *total* access to all systems and data or we cant be effective and might as well not goto work.

Anyone that stands in the way of this should be fired.

If you cant trust your IT people with this access, then they should be fired.

As far as the owner having total access, well its his f-ing place. HIS butt is on the line.. He gets what he wants, always. Deal with it.

Re:BS

[timster]

OK, I can't trust anyone with total access to all the data in my entire corporation, so I just fired my entire IT staff as per your instructions. What do I do now?

Re:BS

[honkycat]

That's not true. Each IT person or group needs only enough access to maintain the systems it is responsible for maintaining. If your company is small, that may mean that the IT guy has access to all the systems. If it's larger, though, it is a very good idea to partition access. This is not just a question of trust -- it also forces the person responsible for each element to be involved in (and therefore aware of) any changes made to it.

Data is another matter. IT does not need access to sensitive business data to do its job. Encrypt the data with a password known only to those who need access. Obviously this will preclude IT from recovering the data when the password is lost, but if the data is that sensitive and valuable, it's quite reasonable to expect extreme diligence on the part its custodians.

If I were in IT in a company with extremely sensitive data, I would actually prefer to have access to less than everything. When there is a leak, it makes it that much less likely that I'll be falsely accused.

Re:BS

[vod1]

'IT' needs access to do its job. We need *total* access to all systems and data or we cant be effective and might as well not goto work.

In a perfect security world you don't need total access. I work for a very large corporation which have seperate network, firewall, Unix, and database groups. If you are in the Unix group you don't need access to the data in the database. If you are a firewall person you don't need an account on the Unix server. There is also an audit department that makes sure all the accounts on the application belong to legit people who need it.

I agree having so many different people managing a single system makes troubleshooting much harder but having a check and balance system in place takes total access out of the hands of few people. The idea is that to do any real damage you would actually need the help from multiple people in different groups, making it harder to hide a conspiracy.

Re:BS

[nurb432]

Go hire someone you can trust.

Re:BS

[lgw]

IT certainly has no access to any machine that's important to me getting real work done! Like I'm going to risk the data janitors touching something that's actually valuble to the company.

If you cant trust your IT people with this access, then they should be fired.

Ahhh, now we agree! Sadly, that's not my call.

Re:BS

[Znork]

I dont think you get the level at which these people work. Separating systems and access between functional groups is normal. The kind of people writing the book in question want separation for each and every activity done. If you were a Unix admin, not only would you not have access to the database, you wouldn't even have access to the database files, nor the commands to modify the volumes. You couldnt be allowed access to a compiler, nor sudo access to, for example, vi or more (as they contain a shell escapes). Do you really need to access /dev? Maybe not every day, better make it conditional. These people think web access, email and Ipods ought to be restricted, so forget about downloading patches and reading security bulletins.

Needless to say, any company operating on such principles will become more or less entirely uncompetetive as they implode under the weight of internal administrative overhead and distrust.

Re:BS

[alister]

Hi there,

'IT' needs access to do its job. We need *total* access to all systems and data or we cant be effective and might as well not goto work.

I reckon this is rubbish. I reckon that user data should be encrypted, so that only the people who the user wants to give access to it gets access to it, and that includes IT staff. If I get my way - and as an IT Manager I just might - I'll be putting in place systems that devolve authority to determine who reads what to the people who own the data, and that's not the IT staff.

Alister

If they're lucky that is

[Debiant]

In one summer I worked on one company's financial department. Head accountant there didn't have full access to all information she needed. Reasons for that weren't security related, they were finanacial. Company didn't want to pay for a additional license to our software provider. Result was the she had to ask me to fetch each time information on system she didn't have access to.

Funny thing was that she was one of the permanents, while I was a temp that was hired through a recruiting firm. Never did go an interview in that company. Still I handlet quite big sums and had wider access thant she had as a head accountant.

I think one should look company's security package as a integral whole that is tightly knitted to each company. Reason is that companies have wildly diffrent kinds of organizations, ways of doing and needs. So the way each worker is allocated rights and accesses, varies by each company, by worker's function and software he or she uses. Not only that, many CEO's or department's heads don't really know how daily work is organized in the grass root level. It easily happens that CEO and IT manager/consultant get common agreement how to do security, but if they aren't up to date about regular daily practices problems can arise quicly. Ones that are born when people can't get necessary information when they need it.

These things, if wanted to do well, don't have one-size-hat-for-all solution and go far beyond being 'just' IT.

Besides there are lot of other issues here too, like labour relations and work effiency. Good and very tight security may not earn trust of workers, but cause it being lost. Too rigid and wrong headed security practices, can hinder real life productivity too.

Remember, road to hell is paved with good intentions. Tread carefully.

I agree

[GmAz]

I have to agree. I work for a school district where I have complete access for every workstation as well as every server. True, I am a computer tech here, but still, the few things I do on a server shouldn't give me access to pretty much turning it into a FUBAR machine. Office staff and District Office personnel are even worse. They have full access to whatever they want on their machines. And all they do is use MS Office and a few programs for the district. Though it is kinda fun to search the server drives for *.mp3 and *.wmv and burn it to CD to enjoy at home. I have gotten some great music and really funny videos from their network folders, and then deleted them because its against district policy to have that stuff on work property =P.

my take on trust

[east+coast]

Once I was asked by a friends father who he could trust to run his IT department and I told him "you can trust no one" and he told me "East, everyday I trust Jesus Christ as my Lord and Savior" and I simply asked him "Is Jesus your SysAdmin?". I don't think I ever spoke to the man again...

...Is that Zen or what?

Re:my take on trust

we've tried him, and he seems not to be a very good sysadmin.

"Christ! the network's down again."

Re:OH, joy. Another anti-IT witch-hunting book. Ya

[WilliamsA]

You might want to actually read the book before presuming that it identifies IT staff as the primary perpetrators of insider crime. The book deals with every potential insider threat from maintenance staff to the highest levels of executive management. A great deal of emphasis is actually placed on how important the IT staff is to mitigating insider threats, particularly if the threat is someone in senior management. So, it's not "management vs. employees". The book also does not say that everyone IS a threat. It says that anyone CAN BE. Big difference.

--Andrew Williams

Publisher

Syngress Publishing

Everyone's password is taped to their monitor ....

[g0hare]

at least anyplace I consult for that I make use passwords that change every month and use password complexity

THE INTERNET IS NOT SECURE

[blair1q]

The Internet is an enabling technology.

The Internet is not secure.

And it does not need to be.

It was not designed so that large corporations could sell security services on it.

The Internet is an open field. A common.

If you want the Cone of Silence, you know where to find it.

Re:Everyone's password is taped to their monitor .

[MichaelSmith]

change every month and use password complexity

This was the policy at one site I worked at. One day I had to ask a fellow worker to show me some bad data on their workstation. They had gone home for the day, but a nearby cube dweller helped me out.

The password for the month (in that entire office) had been agreed to be abcyyyymm or some such where abc is known to everybody and the rest is just the date.

my book summary

[jaimz22]

here you go, this is a one sentence version of this book

DON'T let asshole people know important shit!

thanks!

Re:OH, joy. Another anti-IT witch-hunting book. Ya

[jimjamjoh]

"I'll be outside, since you're already on the cross..."

Security has a cost

[wintermute42]

One of the wisest comments I've heard on security was: security is the tax that the rest of us pay because some people are immoral.

Security has a definite cost. Casinos are probably the extreme example. They tend to hire people paid an hourly wage who handle large amounts of money. Perhaps they have little choice but to watch them all them time. The people who are working at the casino are generally willing to put up with a total surveilance work environment because the jobs pay better than most relatively unskilled jobs.

I have not read the book that was reviewed, but the reviewer seems to sugget that something like this kind of total surveilance environment is desirable. The problem is that such an environment exacts a cost from the majority of honest and moral people in the hope that it will deter or catch those who are dishonest. A heavily restricted surveilance environment is likely to drive anyway many people who have other job options. As espionage scandels have shown, there is never any guarantee that any set of counter measures will assure that someone does not betray trust.

There has to always be a balance between risk and the cost of the security measures. Security "professional" like the reviewer seem to forget this. After all, it is not their problem when people quit for a more pleasant environment or when the organization cannot attract highly qualified people who can choose to work elsewhere.

Be careful not to over simplify the issue

[BAM0027]

The parent comment uses the example of bulk candy being lifted from a grocery store. This is an extreme example that doesn't accurately describe the situations that are addressed by the book. The comment also states that the issue at hand is a simple "cost/benefit analysis".

What I can say is that protecting a company's financial information or intellectual property is of much greater value to our company than some missing inventory. I also know that after having read this review, I am interested in understanding more of the possible loopholes or weak points in our infrastructure. The use of technology in the work place has increased dramatically and some of its applications demand more sophisticated precautions. Video cameras and the like are inadequate to the task.

At the least, I would hope to garner more ideas on how or where to look for shortcomings in our organization. Whether or not to implement them would _then_ come down to cost/benefits.

The problem with permissions

[DoktorFuture]

One big problem is how we are specifying permissions.

We usually specify who can, or can not, access or modify an object.

So if I want to say 'back up what is important to me', the computer can't do it.

Or, show me 'things which contain financial information', the computer is again lost.

Policies with higher level attributes (either applied to an object, or inferred by content scanning) makes a bit more sense to me, and probably easier to manage.

I would like a flikr like meta-data tag search. Maybe this will be possible with WinFS. It would be more useful if it wasn't entirely free-form, and some template tags and groupings for things like projects and interests were also easily managed.

Anyone know if WinFS is going to be able to take us in this direction?

Re:The problem with permissions

[Johnyy_Bravo]

You should be working on the M$ marketing dept!!!

You say 'back up what is important to me'; the computer can't do it.
Well, WinFS can! With its new mind-reading neural synergy(R) component infrastructure, WinFS provides exactly what is important to you!

You say 'show me things which contain financial information'; the computer is again lost.
WinFS isn't! Purchase the i-work(TM) 'bolt-on' to complement each WinFS connected drive. Your computer will decide all these things for you. Put your feet up and enjoy Microsoft's =Zero=Energy(R)= infrastructure.

Buy Now! And Again!

---

If one more person tells me how great "Rapid Application Development", "Code Databases" and fscking "Graphical" programming or office tools are more technologically advanced, I will puke on my keyboard.

I want to be able to *tell* the computer what it will do, in no uncertain terms and I believe that people using two (or three) buttons and a lot of arm waving to "do" "work" are taking great leaps back down the evolutionary ladder.

We have a linguistic ability shared by very few other mammals - so we should be using it! Until speech recognition is mainstream, keep using the keyboard and ditch the funny looking buttplug.

Please!

Summer job

Here in Belgium it's not that bad. I've worked in a company last summer (as a student, just for one month). First thing I had to do was to sign an agreement not to steal anything yada yada. Then they gave me my account (administrative rights) and the password for local admin on the workstations. I could log in to any server I wanted, I even got internet access (albeit monitored). I've heard from others (friends of mine) that worked in other companies, same thing happened. Doesn't look like they're worried about passwords and stuff :)

Where'd these background checks come from?

After 5-plus years at my current position, I've been looking at possibly moving on. And I am amazed at how many companies now require "background checks", including access to one's financial and credit history over the course of one's employment. All for the sake of "trustworthyness" and verifying "lack of exploitablity".

I always refuse to sign. First of all, trustworthyness can be verified by current (who knows I'm looking) and previous employers. They're called references for a reason.

Second, no company has a need-to-know regarding my--or anyone else's--financial and credit history.
This is some of the most sensitive information people have, to just release to unknown individuals within a company. Before people state that companies are seeing me--and others--in the same way, see my previous point about "references".

Besides, if the applicant is married, the company does not have the authorization to search the spouse's information. And the spouse may be the exploitable person--via drinking, gambling, drugs, overspending, etc. Or the kids. Or the parents. Or the siblings. Getting the picture?

People just need to refuse to sign these forms, and wish the companies good luck finding someone. Of course, they're likely chasing away the very people who understand security.

Chalk it up to lazy HR people and further attempts at control.

Book review?!

[MrNougat]

Ohhh, it's just a book review. Because from reading the article title on the RSS feed, I thought there was a specific "insider threat" being reported on.

I hate posts like this

[bitslinger_42]

I hate to point it out to you, but company rules (and government laws, btw) are not written for those who are already doing good. They are written to limit the impact that someone who lacks your good behavior.

Other posts have commented about the balance involved, and it is a difficult one to strike. In many cases, the official geeks (i.e. IT staff charged with maintaing the systems, etc.) need greater access, but part of the company's process should include a method of documenting who gets such access, why it is needed, and who takes responsibility for granting the exception. When done properly, this can mean that Joe Secretary is a limited user that is unable to install software on his computer, but Jackie Systemanalyst has local admin privileges so she can install and test the new version of Software X.

Simple fact is, unless your company has only one employee, it is unlikely that any rule will fit 100% of the employees 100% of the time. The job of security/compliance/auditing is to ensure that all of the rules are applied in a standard fashion and that those exceptions are adaquitely documented in a way that allows a) figuring what went wrong and b) who to fry for it when an employee abuses their position.

IT Security

[peterfa]

I'd have to say that this is actually blown a tad out of proportion.

I used to work as a HelpDesk Technician for a school. This job was a tad different than ordinary HelpDesk positions at other places. I didn't handle problems over the phone. I'd walk to the office and fix it there. Now to do my job I was told the password for the built-in admin account on every machine. I was just a volunteer too.

However, I often needed to get into someones office when that person was absent. So I had to call security and and have them let me in. The reason was because they would not let a student have a key. So I can have the admin password to every computer and for some reason, no key. I've spent countless hours waiting for security. Though to be fair, only the admins had control of the servers. These particular admins aren't stupid.

Now, the one thing I did the most was clean spyware off of computers. I have found 200 and more peices of spyware (and by spyware I mean adware + spyware, etc.) on administrative computers and in security. The administrative department uses passwords and enters student information. This means that the school was broadcasting private, personal, and sensitive information to some joe nobody knows.

Oh wait, leaking personal student information poses no cost whatsoever to the school. Nevermind.

A Better Solution

[Brushfireb]

A Better solution is to do the following:

- Hire good employees, who are relatively honest and straightforward people. This includes everyone -- IT, Sales, Administrative, etc. If they arent honest, they shouldnt be working here. (This also tends to help with Corporate Responsibility -- how NOT to fudge the books in a crunch..) There are decent HR personality tests that can reasonably predict if someone would be untrustworthy in different situations.

- Deal with your employees fairly, honestly, and be upfront. This will minimize the biggest source of insider problems -- disgruntled employees. For example, giving yourself a raise after or just before laying off other employees, is generally a Bad Thing (tm). Try to be honest with employees about their performance, what is expected, and what wont fly. Provide regular, upfront feedback. Follow through with action. Be Kind, Understanding, but Firm.

- Trust your employees to make sound decisions. The employee who is berated and treated as if they "cant be trusted" will eventually turn into the employee who you fear them to be. If you dont trust them to start, then why should they care? More over, if you dont trust them, why did you hire them?

- Give people ample access to what they need, but not so much access that it impedes others. For example, the IT administrator should have access to quite a bit. Asking for a password to do their job is no only unefficient, its demeaning and downright stupid. Do you trust the IT people you have hired? Do you believe them to be competent? If so, then let them do their job. If not, then why did you hire them or why are they still working there? Its incredibly frustrating to employees to do what this book reccomends -- lock down access. Its frustrating to the employee becuase they have to "ask" to do their job. And its frustrating to management, who has to constantly hand-hold entering passwords as the employee progresses. Cut the leash.

Overall, I think its important for IT security people and Management to understand these risks. TO watch for violations. But to base your company security policies on these type of ideas would be lunacy, and would kill any sort of company morale you might have had going for you. Its much easier to trust the people you work for, pay them fairly and well, and treat them like human beings than it is to try to lock them down in every way to "prevent" bad things.

Certainly there are exceptions where even the very small percentage of bad employees can cause very large damage to the company. This should be dealt with appropriately within those industries -- and employees should know this DURING the application process, so they know what kind of BigBrother situation they are getting into.

B

Re:A Better Solution

[bzipitidoo]

Mod this up! There's too much focus on idiot technical measures and not enough on working with people. Whenever a disgruntled departing employee manages to do serious damage, the knee jerk reaction is to impose yet more restrictions ranging from the purely technical to the physical and legal such as having uniformed guards standing over the terminated employee to prevent any unauthorized action like touching of keyboards, and, of course, the escort off the premises. What about avoiding most of these ugly scenes by square dealing, so that if any grievance is still held, it is extremely unlikely to be a fair and legitimate one? Or exercising restraint on security policies so that the entire workforce doesn't become angered or depressed? No idea, but I would guess the majority of grievances are such that it would be to the company's benefit to address them. Most unbelievable is when it takes only a bit of niceness with a dash of good flattery (that is, not obvious and fake) to have an amicable parting but the parties are just too arrogant and afraid to admit they are in any way wrong, let alone apologize.

As for idiocy, it's crazy to cut off Internet access because people "don't need it" when they actually do, or because some might abuse it (by posting on Slashdot?). As if there aren't plenty of other ways to be unproductive, such as solitaire, extended breaks, doodling, daydreaming, etc. The suggestion that most everyone should be cut off the Internet is a perfect example of bad reasoning on a misdiagnosed problem leading to a blanket overkill "solution". While we're at it, how about disconnecting all the phones so no one wastes time talking with their family and friends? Soon as a book seriously recommends such measures, I no longer take it seriously. I prefer authors that aren't paranoid control freaks. A point to consider is that the sort of control desired by a typical control freak usually makes things less secure.

On the technical, what's with our systems anyway? We can make systems that are robust enough to handle a bit of vandalism. And without breaking the bank. It's terribly convenient for the author to hypothesize a ridiculously fragile system, so he can talk FUD, as if anyone can push The Button ala Dad's Nuke, and no one has any backups. Sure, systems with appalling weaknesses have been used, and incredible laxity has allowed spectacular failures, but most people aren't such fools. Still, I keep backups of my work in several places outside the company, just in case.

Encrypted Data

[nurb432]

And how many times has this been tried and yet when its most important you get the call 'can you fix this file for me'? Most every time.

Nope, no encryption allowed on my network, unless i hold the key.

If any data is missing, you will be accused regardless. You are the computer guy remember, its ALWAYS your fault.

Re:Encrypted Data

[honkycat]

Doesn't sound like you've been working with competent users.

Good luck with that attitude if you ever work for competent people who are actually interested in the security of their organization.

Re:Encrypted Data

[nurb432]

Most users are not competent. Once you get out in the real world you will discover that.

Also if a company cant trust me to hold all the keys, i dont want to work for them in the first place.

And just for the record, the place i work at currently, i do hold all the keys. I'm entrusted with our network/data safety. ( as i have in the past with previous jobs ) I also take that responsibility seriously.

Re:Encrypted Data

[honkycat]

I've spent my share of time in the real world and I've dealt with plenty of people, competent and otherwise. My point is that if you're in an organization with a need for "real" security and you are really the only person capable of keeping track of passwords, there's a problem. That organization simply isn't capable of managing real security.

For most organizations, though, real security is not that important. For those instances where it is necessary, though, having a single employee in a position to compromise every layer of security is an utterly ridiculous prospect.

Re:Encrypted Data

"For those instances where it is necessary, though, having a single employee in a position to compromise every layer of security is an utterly ridiculous prospect." ...or maybe not.

As Bellovin states, the clever says "don't put all the eggs on a single basket", the wise says "put all the eggs on one basket... and watch it very carefully".

What's wiser? Having only one very trustable employee with access to the whole system (please note that this doesn't equals to have just 'one-point-of-failure' on your system) or having three/four not so trustable *and* in a position to easily collude against you?

So what's changed?

I started in the computer industry in the mid '70s, and this problem was old even then. The mindset I was taught wasn't to lock everything down, so that no-one can do anything; it was to design, wherever practical, systems and processes to require collusion to break them. Give people the authority and access that they need to do the jobs they have to do, but share the roles out. Set everything up so that it takes at least two people to rob you blind, or to delete all your files and backups, or whatever, and you'll be vastly safer. One person with the power to do everything is a risk, because there *will* be bad apples; once that person has to get someone else to go along with them, though, whilst the risk doesn't disappear completely, it's tiny by comparison.

THE BOOK IS NOT ABOUT THE INTERNET

[drinkypoo]

The intranet is not the internet.

And the main subject of the book does not address the internet.

It was not designed to address internet security.

The intranet is not an open field. (P.S. Ever hear of the "tragedy of the commons"? Calling the internet a common is, to say the least, unnerving.)

If you want the award of irrelevance, continue commenting.

Re:THE BOOK IS NOT ABOUT THE INTERNET

[blair1q]

An intranet based on the Internet is, indeed, the internet.

And the internet is a common. The RFCs aren't standards except by consent of those choosing to stay within them.

Look in the mirror for that irrelevance you seek.

Translucent Databases

[xant]

IT' needs access to do its job. We need *total* access to all systems and data or we cant be effective and might as well not goto work.


While I disagree with the whole of this statement, I disagree most vehemently with the part in bold, so I'll address that.

In world that cared about data security, NO EMPLOYEE WOULD EVER BE GIVEN ACCESS TO CUSTOMER DATA THAT WAS ONLY USED TO DRIVE THE APPLICATION. Take a look at the ideas in the book Translucent Databases (actually, even just read the summary on that page) and you'll get an idea of what can be done to minimize the risks posed by insiders. If your company deals with a lot of customer data.. let's say it has an ordering system like Amazon's.. there is NO employee in the company, not the CEO nor the CTO, who needs to know what your customer's credit card number is, or needs to be able to find out. Encrypt it so that only the customer's password can retrieve it (and that password, btw, is only in the customer's brain, because you're only storing a hash of it) and you've just eliminated the single biggest privacy threat in information systems today. The same goes for a wide variety of information about the customers which no employee ever needs to know.

Re:Translucent Databases

You're ignoring the customer service department. I develop our IVR and CS systems and there are several situations where I need access to such information:

1.) In the case of extreme customer issue escalations, I need to be able to dig up a customer's complete history to figure out what has happened.

2.) Development of affinity algorithms require access to the customer data in order to aggregate it (zip code affinity, CC bin affinity, gender, etc)

3.) Testing- it's very helpfull to be able to use actual data during the testing process (for instance, testing CC validation routines, etc).

All Data. No exceptions

[nurb432]

Dont try coming to work for me is all i have to say about that.. You wouldnt last 10 minutes. ( if you even got hired )

If the CEO wants the data, its his to have. Period. End of disscussion.

Re:All Data. No exceptions

You are not very smart. I think maybe I did work for you, once. I had to clean up after your mistakes all the time.

Truth is, if the CEO wants the data, he can have it -- as long as the request is recorded. He'll never ask for it, so if someone logged in as the CEO is trying to access credit card data, it's not him. The CEO's password, of course, will be given out to anyone who asks, and will also never change, so the idea that the CEO's account should have access to the data is stupid.

Re:OH, joy. Another anti-IT witch-hunting book. Ya

[crazyphilman]

Fair enough. Maybe your book IS balanced. I'm not going to buy it to find out, of course... But you do realize that this sort of book traditionally sets management and employees at odds.

Who reads it? Management, which feels above reproach and won't consider itself to be a threat even if your book has a whole chapter entitled "Management: A Threat".

Who suffers from it? Mostly the IT department, because they're closest to the data, they're usually not politically connected at all, and Management doesn't know how their jobs really work, so they're mysterious and spooky.

Joe Manager isn't going to pick on his sales staff. He understands them. He gets along with them. They go drinking together. The same goes for his fellow managers.

Joe's going to pick on the weirdos in the IT department. He's going to read your book and think "they have control over MY database! They're weird and different, and I don't drink with them! Somebody must DO something!"

And, just like that, your so-carefully-balanced book becomes a tool for management to use against employees, usually by justifying the implementation of ridiculous, poorly-thought-out policies designed to "get those people under control". It's just basic human nature, and it's disingenious for you to say it doesn't work like that.

Whenever I hear about a book like yours, I think "what's he selling me?" Because anytime someone tells you you should be worried about X, they're about to sell you Y.

Of course, what you're selling is a BOOK.

Re:OH, joy. Another anti-IT witch-hunting book. Ya

[crazyphilman]

"He's got a shoe! A SHOE!"

Guilty till proven innocent? Or..?

[jandersen]

In my 30+ years of experience working in IT I've found that companies can be run in basically two way when it comes to the question of security. One is to be anal retentive and implement restrictions on everything so that you can't breathe; this creates a climate where nobody trusts each other, and of course it breeds resentment etc.

The other way is to trust everybody - that tends to make people feel responsibility for the company, the team, the project or whatever. This doesn't mean that everybody should have root access to every server, what I am talking about is the difference between armed guards/barbed wire and a polite notice saying 'Please don't walk in the flowerbeds'. I think about 99% of a company's employees want to do the right thing and don't want to mess around with things they shouldn't; and the 1% who want to mess around will do so no matter what security measures are in place.

I was a systems programmer in one place with ultra high security: 3 levels of security zones, even system programmers couldn't go to the 3rd level (but all the bosses, of course, althought they didn't know a thing about the systems). This was a mainframe shop with VM at the bottom and a number of MVS systems on top of that, a fairly common setup I believe; as I said I couldn't get access to important datasets without written permission from somebody higher up. On the other hand, I had the VM console on my desk and could access everything without even being logged anywhere; that just goes to show how fragile these security measures are. They are generally thought up by incompetents in the financial departments, and you can often walk right through them.

And at the end of the day, you still have to trust somebody; so why not do it properly and make a climate where trustworthyness is a natural thing?

pay IT more, then you can trust them more

Ppl work for money usually more than other things. Hire qualified, professional IT staff. Give the higher up IT ppl the money and respect they deserve, and they'll protect your data and your company. Who else is going to protect it but them?